Towards Black-box Adversarial Example Detection: A Data Reconstruction-based Method

TL;DR

This paper introduces a data reconstruction-based method using variational auto-encoders to detect black-box adversarial examples, addressing a gap in existing detection techniques and improving real-world deployment potential.

Contribution

It proposes a novel data reconstruction approach with VAE for black-box adversarial example detection, filling a significant research gap.

Findings

Outperforms existing detectors in black-box scenarios

Utilizes VAE to capture pixel and frequency features

Enhances real-world applicability of adversarial detection

Abstract

Adversarial example detection is known to be an effective adversarial defense method. Black-box attack, which is a more realistic threat and has led to various black-box adversarial training-based defense methods, however, does not attract considerable attention in adversarial example detection. In this paper, we fill this gap by positioning the problem of black-box adversarial example detection (BAD). Data analysis under the introduced BAD settings demonstrates (1) the incapability of existing detectors in addressing the black-box scenario and (2) the potential of exploring BAD solutions from a data perspective. To tackle the BAD problem, we propose a data reconstruction-based adversarial example detection method. Specifically, we use variational auto-encoder (VAE) to capture both pixel and frequency representations of normal examples. Then we use reconstruction error to detect adversarial examples. Compared with existing detection methods, the proposed method achieves substantially better detection performance in BAD, which helps promote the deployment of adversarial example detection-based defense solutions in real-world models.